ZCS 7.0, 6.0.x, and 5.0.x Security Patch Instructions: Difference between revisions
| Line 8: | Line 8: | ||
== Overview == | == Overview == | ||
Oracle has issued '''Oracle Security Alert for CVE-2010-4476''' that affects ZCS releases running version 5.0.x. This security alert addresses “security issue CVE-2010-4476 (Java Runtime Environment hangs when converting ‘2.2250738585072012e-308’ to a binary floating-point number)”. For the full security alert, go to: | Oracle has issued '''Oracle Security Alert for CVE-2010-4476''' that affects ZCS releases running version 7.0, 6.0.x, and 5.0.x. This security alert addresses “security issue CVE-2010-4476 (Java Runtime Environment hangs when converting ‘2.2250738585072012e-308’ to a binary floating-point number)”. For the full security alert, go to: | ||
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html | http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html | ||
Revision as of 16:52, 2 March 2011
Note:
- This advisory does not apply to ZCS releases 7.0.1 and 6.0.11 as they include JDK 1.6u24, which has the security patch from Oracle.
- This advisory does not apply to Zimbra OSX 10.4.
- Read the FPUpdater Tool README before performing this update.
Overview
Oracle has issued Oracle Security Alert for CVE-2010-4476 that affects ZCS releases running version 7.0, 6.0.x, and 5.0.x. This security alert addresses “security issue CVE-2010-4476 (Java Runtime Environment hangs when converting ‘2.2250738585072012e-308’ to a binary floating-point number)”. For the full security alert, go to: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
To resolve this issue, Oracle has issued the FPUpdater Tool as a patch. If you are running ZCS 7.0, 6.0.x, or 5.0.x, it is recommended that you perform this update. You can obtain this tool and README at: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
Example of Installing the FPUpdater Tool Patch on ZCS
Note:
- The following is an example of installing the FPUpdater Tool patch on ZCS and may vary from your update.
- Be sure to run the Java version located at /opt/zimbra/java/bin
- A full backup should be performed before any patch is applied.
1. Obtain the FPUpdater Tool from Oracle at:
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
2. On your system, confirm you are running a ZCS 5.0.x version. Enter zmcontrol -v
[zimbra@example ~]$ zmcontrol -v Release 5.0.26_GA_3366.RHEL4_20101215133223 RHEL4 NETWORK edition
3. Run zmcontrol status to verify the ZCS server is running.
[zimbra@example ~]$ zmcontrol status
Host example.eng.vmware.com
antispam Running
antivirus Running
archiving Running
convertd Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
4. Stop ZCS. Enter zmcontrol stop
[zimbra@example ~]$ zmcontrol stop
Host zqa-052.eng.vmware.com
Stopping stats...Done
Stopping mta...Done
Stopping spell...Done
Stopping snmp...Done
Stopping archiving...Done
Stopping antivirus...Done
Stopping antispam...Done
Stopping imapproxy...Done
Stopping mailbox...Done
Stopping convertd...Done
Stopping logger...Done
Stopping ldap...Done
5. As root, unzip the FPUpdater Tool patch. Be sure to place the zip file in the tmp directory.
cd /tmp
[root@example tmp]# unzip ./fpupdater-1_0.zip
Archive: ./fpupdater-1_0.zip
creating: fpupdater/
inflating: fpupdater/fpupdater.jar
6. As root, run the FPUpdater Tool patch. Be sure to run the ZCS Java version in /opt/zimbra/java/bin
/opt/zimbra/java/bin/java -jar fpupdater/fpupdater.jar –u
Example of the FPUpdater Tool script installing on ZCS
Note: Your output will differ
[root@example tmp]# cd /opt/zimbra/jdk1.5.0_20/jre/lib java.home: /opt/zimbra/jdk1.5.0_20/jre java.vendor: Sun Microsystems Inc. java.version: 1.5.0_20 os.name: Linux Checking for update for major: 1.5.0 minor: 20 Retrieved update jar file from tool: /opt/zimbra/jdk1.5.0_20/jre/tmpUpdate1559471137797517925/tmpUpdate9221570560858611948.jar Updating files. Please note this can take several minutes to run. Allow FPUpdater tool to complete. Jar file /opt/zimbra/jdk1.5.0_20/jre/lib/rt.jar.fpupdater successfully verified. Done backup of rt.jar to /opt/zimbra/jdk1.5.0_20/jre/lib/rt.jar.fpupdater Made working copy of rt.jar: /opt/zimbra/jdk1.5.0_20/jre/lib/tmpUpdate1977471307117885279/copyofRt.jar Jar file /opt/zimbra/jdk1.5.0_20/jre/lib/tmpUpdate1977471307117885279/copyofRt.jar succesfully verified. Moving working copy of rt.jar back to live rt.jar. Update applied successfully to java.home path : /opt/zimbra/jdk1.5.0_20/jre
7. Confirm the patch files rt.jar.fpupdater, rt.jar, and .fpupdater.log are installed successfully. Cd to /opt/zimbra/java/jre/lib to confirm.
Note: "0" bytes for *.log is correct.
-rw-r--r-- 1 root root 40218589 Feb 28 12:22 rt.jar.fpupdater -rw-r--r-- 1 root root 40211603 Feb 28 12:22 rt.jar -rw-r--r-- 1 root root 0 Feb 28 12:22 .fpupdater.log drwxr-xr-x 6 root root 4096 Feb 28 12:22 .. drwxr-xr-x 17 root root 4096 Feb 28 12:22 . [root@example lib]# pwd /opt/zimbra/jdk1.5.0_20/jre/lib
8. As Zimbra, su – zimbra, enter zmcontrol start to restart ZCS for changes to take effect.
[root@example lib]# su – zimbra
[zimbra@example ~]$ zmcontrol start
Host example.eng.vmware.com
Starting ldap...Done.
Starting logger...Done.
Starting convertd...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting archiving...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
9. To verify the server is running, enter zmcontrol status
[zimbra@example ~]$ zmcontrol status
Host example.eng.vmware.com
antispam Running
antivirus Running
archiving Running
convertd Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
